I'm not sure that this will affect personal forums unless you are running the forum as a business; i.e. selling something. However, having said that, many EU regulations are quite ambiguous in their definition of scope when it comes to something (or an entity) that sits on the borderline of whether said regulation applies or not. On the face of it, from what I've read, it's mostly about business and companies retaining personal data in relation to selling a product or service. I have serious doubts as to whether this will apply to private forums run by individuals as a hobby or extended interest, with the proviso that said forums or sites are not actually selling anything.

I reckon it will be another one of those 'wait and see' scenarios - the EU thinks it rules the world and can dictate (as any dicatorship will) what goes and what does not. Personally, I wouldn't lose any sleep over this.

Are they paid services? Are you selling anything? If not I wouldn't worry about it - look at the wording too; "any company" are you a company - if not then it most likely will not affect you, but with the EU who can say? If you are in any doubts at all I would contact someone (or body) to clarify how it may or may not affect you.

What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Click to expand...

and the penalties

What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.

I take from it that you need to ensure the data being obtained is accurate, correct, and it's use is clearly outlined. You are also responsible for ensuring reasonable measures are taken to ensure there is no unauthorised access to this data. No idea what would happen if there was a 0 day vuln to some software you were using, and the DB was exploited. It does mention that you should notify people in a timely manner of any breach.

But....it's the EU, and they love making things very difficult to follow and as complicated as possible.

Not really. Your company uses Visa/Mastercard/Paypal for payments processing? This is enough for EU courts to charge you for mishandling of their citizens data. If your payment processor will in return charge you, is up to them.

Broadly, for organisations that are relevant, it seems to concern consent and customers having control on how data is obtained and processed. A fair amount of this can be mitigated by having good processes on data collection, a decent 'need to know' basis on why you need specific personal data (ensuring that this is reasonable) and clarity in T&Cs so users know what data is held, how it is processed and the control they have over its removal.

There are possibly more complex considerations over the 'active' consent and age verification of children but for now, a lot of the practical implications of this are still up in the air. Particularly for the UK and our own legislative hokey cokey (sigh). Still, I don't think the GDPR comes into force until May 2018 so let's hope there's clarity by then!

Three reasons - it's too tricky to know what if any EU regulations we may still need to follow depending on the agreement reached and how long it may take in the meantime to reach it, because an equivalent law will possibly come into effect in the UK if we're exempt from the EU and because if we have EU citizens using services we may still need to follow it.

Three reasons - it's too tricky to know what if any EU regulations we may still need to follow depending on the agreement reached and how long it may take in the meantime to reach it, because an equivalent law will possibly come into effect in the UK if we're exempt from the EU and because if we have EU citizens using services we may still need to follow it.

I don't think so, because that's not their personal information. It's just the data you are collecting about them (IP / Name / email etc).

Click to expand...

Matt, it's the part of what you quoted bolded below which has me concerned:

It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Click to expand...

Forums are social networking websites, and members post personal things very often. I don't mind having to delete a member's posts on request, but a requirement to make them easily transportable seems like it would be difficult to satisfy.